<div dir="ltr">I ran some more tests and I've found that it's a general sssd issue which affects everything handled by sssd (pam, ssh, sudo). I see similar problems with 'su - username'. I'm guessing that kinit works since it bypasses sssd. Does anyone have any ideas on debugging this?</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 17, 2015 at 2:54 PM, Prasun Gera <span dir="ltr"><<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sorry, the message got sent accidentally earlier before I could provide all the details. <div><br></div><div>Version: 4.1.0 on RHEL 7.1 x86_64<br><div><br></div><div><span class=""><div style="font-size:12.8000001907349px">Steps:</div><div style="font-size:12.8000001907349px">1. ipa-server-install</div><div style="font-size:12.8000001907349px">2. service sshd restart</div></span><div style="font-size:12.8000001907349px">3. kinit admin <span style="font-size:12.8000001907349px"><- This always works</span></div><div style="font-size:12.8000001907349px">4. ssh admin@localhost <- This works for the first time, fails second time onwards</div><div style="font-size:12.8000001907349px"> ssh admin@host_addr from external system <- This also works the first time, fails second time onwards</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">5. ipa-server-install --uninstall</div><div style="font-size:12.8000001907349px">6. go to 1</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">The log messages in /var/log/messages point to <span style="font-size:12.8000001907349px">[sssd[krb5_child[21029]]]: Decrypt integrity check failed at the point of the authentication failure</span></div><div><span style="font-size:12.8000001907349px">sssd's log's have a lot of "No matching domain found for user" messages.</span></div><div><span style="font-size:12.8000001907349px">/var/log/krb5kdc.log has a lot of </span>error decoding FAST: <unknown client> for <unknown server>, Decrypt integrity check failed while handling ap-request armor</div><div><br></div><div>The only ERROR I can see in /var/log/ipaserver-uninstall.log is </div><div>pkidestroy : ERROR ....... subprocess.CalledProcessError: Command '['/usr/bin/sslget', '-n', 'subsystemCert cert-pki-ca', ......returned non-zero exit status 6!<br></div><div><br></div><div><br></div><div>It appears that the uninstall process is leaving some residual configuration behind which is conflicting with the subsequent installation with the same domain name</div><div><br></div><div><br></div><div>Regards,</div><div>Prasun</div><div><br></div><div><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div style="font-size:12.8000001907349px"><br></div><div><br></div><div><br></div></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera <span dir="ltr"><<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div>I installed the ipa-server on an RHEL 7.1 system, uninstalled it and reinstalled it with the same domain name as the first time. This somehow creates problems with ssh authentication on the server from external systems as well as from the server itself. </div><div><br></div><div>Steps:</div><div>1. ipa-server-install</div><div>2. service sshd restart</div><div>3. kinit admin</div><div>4. ssh admin@localhost</div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>